D1 - Security and Risk Management Flashcards
Any single input to a process that, if missing, would cause the process or several processes to be unable to function.
Single Points of Failure (SPOF)
Any word, name, symbol, color, sound, product shape, device, or combination of these that is used to identify goods and distinguish them from those made or sold by others.
Trademark
Proprietary business or technical information, processes, designs, practices, etc., that are confidential and critical to the buisness.
Trade Secret
Determines the potential impact of disruptive events on the organization’s business processes.
Vulnerability Assessment
Defined as the difference between the original value and the remaining value of an asset after a single exploit.
Single Loss Expectancy (SLE)
A systematic process for identifying, analysing, evaluating, remedying, and monitoring risk.
Risk Management
The practice of passing on the risk in question to another entity, such as an insurance company.
Risk Transfer
The practice of the elimination of or the significant decrease in the level of risk presented.
Risk Mitigation
The practice of coming up with alternatives so that the risk in question is not realised.
Risk Avoidance
The practice of accepting certain risk(s), typically based on a business decision that may also weigh the cost versus benefit of dealing with the risk in another way.
Risk Acceptance
A combination of the probability of an event and its consequence. (ISO 27000)
Risk
An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result. (RFC 2828)
Risk
The point in time to which data must be restored in order to successfully resume processing.
Recovery Point Objective (RPO)
How quickly you need to have that application’s information available after downtime has occurred.
Recovery Time Objective (RTO)
Controls implemented to restore conditions to normal after a security incident.
Recovery Controls
Controls implemented to prevent a security incident or information breach.
Preventative Controls
Controls to protect the organisation’s people and physical environment, such as locks, fire management, gates, and guards; may be called “operational controls” in some contexts.
Physical Controls
Protect novel, useful, and nonobvious inventions.
Patent
Electronic hardware and software solutions implemented to control access to information and information networks.
Logical (Technical) Controls
Granting users only the accesses that are required to perform their job function.
Least Privilege
Accountable for ensuring the protection of all the business information assets from intentional and unitentional loss, disclosure, alteration, destruction, and unavailability.
Information Security Officer
Comes in two forms; making sure that information is processed correctly and not modified by unauthorised persons, and protecting information as it transits a network.
Integrity
A security event that compromises the confidentiality, integrity, or availability of an information asset.
Incident
Ensures the business focuses on core activities, clarifies who in the organisation has authority to make decisions, determines accountability for actions and responsibilities for outcomes…
Governance
Authorised the President to regulate exports of civilian goods and technologies that have military applications.
Export Administration Act of 1979
A process designed to identify potential events that may risk so it is within its risk appetite, and provide reasonable assurance regarding the achievement of entity objectives.
Enterprise Risk Management
Is similar to due care with the exception that is a pre-emptive measure made to avoid harm to other persons or their property.
Due Diligence
The care a “reasonable person” would exercise under given circumstances.
Due Care
Controls designed to specify acceptable rules of behaviour within an organisation.
Directive Controls.
Controls designed to discourage people from violating security directives.
Deterrent Controls
Controls designed to signal warning when a security control has been breached.
Detective Controls
A breach for which it was confirmed that actually disclosed (not just exposed) to an unauthorised party.
Data Disclosure
Controls implemented to remedy circumstance,mitigate damage, or restore controls.
Corrective Controls
Covers the expression of ideas rather than the ideas themselves; it usually protects artistic property such as writing, recording, databases, and computer programs.
Copyright
Supports the principal of “least privilege” by providing that only authorised individuals, processes, or systems should have access to information on a need-to-know basis.
Confidentiality
Actions that ensure behaviour that complies with established rules.
Compliance
Controls that substitute for the loss of primary controls and mitigate risk down to an acceptable level.
Compensating Controls
An incident that results in the disclosure or potential exposure of data.
Breach
The principal that ensures that information is available and accessible to users when needed.
Availability
Authorises the President to designate those items that shall be considered as defense articles and defense services and control their import and export.
Arms Export Control Act of 1976
An estimate of how often a threat will be successful in exploiting a vulnerability over the period of a year.
Annualised Rate of Occurrence (ARO)
Procedures implemented to define the roles, responsibilities, policies, and administrative functions needed to manage the control environment.
Administrative Controls
